Return Values

Returns a string containing the calculated message digest as lowercase hexits
unless raw_output is set to true in which case the raw
binary representation of the message digest is returned.
Returns FALSE when algo is unknown or is a
non-cryptographic hash function.

User Contributed Notes 16 notes

Please be careful when comparing hashes. In certain cases, information can be leaked by using a timing attack. It takes advantage of the == operator only comparing until it finds a difference in the two strings. To prevent it, you have two options.

Option 1: hash both hashed strings first - this doesn't stop the timing difference, but it makes the information useless.

Sometimes a hosting provider doesn't provide access to the Hash extension. Here is a clone of the hash_hmac function you can use in the event you need an HMAC generator and Hash is not available. It's only usable with MD5 and SHA1 encryption algorithms, but its output is identical to the official hash_hmac function (so far at least).

Very important notice, if you pass array to $data, php will generate a Warning, return a NULL and continue your application. Which I think is critical vulnerability as this function used to check authorisation typically.

Example:<?phpvar_dump(hash_hmac('sha256', [], 'secret'));

WARNING hash_hmac() expects parameter 2 to be string, array given on line number 3NULL?>Of course not documented feature.

This Is The Most Secure Way To Hash Your Data,It Will Be Almost Impossible To Retrieve Your Data.-------------------------------------------------------- --- Create Two Random Keys And Save Them In Your Configuration File ---<?php// Create A Random Keyecho base64_encode(openssl_random_pseudo_bytes(64));?>--------------------------------------------------------<?php// Save The Keys In Your Configuration Filedefine('FIRSTKEY','TNYazlbZ1Mq3HDMiEFDLrRMZBftFqpU2Ipytgytsc+jmQysE8lmigKtmGK+exB337ZOcAgwPpWmoPHL5niO3jA==');define('SECONDKEY','z5hh/Kax4+HKZ8exOlvGlrHev/6ZynOEn904yiiIcWo/qLXWSfLkzm4NSJiGXu4uR7xxUowOkO26VqAi2p2DYQ==');?>--------------------------------------------------------<?phpfunction secured_hash($data){ $first_key = base64_decode(FIRSTKEY);$second_key = base64_decode(SECONDKEY);

HOTP Algorithm that works according to the RCF http://tools.ietf.org/html/draft-mraihi-oath-hmac-otp-04The test cases from the RCF document the ASCII string as "123456787901234567890".But the hex decoded to a string is "12345678901234567890".Secret="12345678901234567890";Count:0 7552241 287082<?phpfunction oath_hotp($key,$counter) {